Glossary
DPIA
A Data Protection Impact Assessment is a GDPR-mandated risk analysis for high-risk data processing, required by Article 35. Whistleblowing typically triggers a DPIA because it involves systematic employee monitoring and special-category data such as allegations of criminal conduct. The DPIA documents purposes, data categories, risks, mitigation measures, and the DPO's opinion.
Full definition
A Data Protection Impact Assessment (DPIA), required by GDPR Article 35, is a structured analysis of the risks to data subjects posed by a particular processing activity. Whistleblowing typically triggers a DPIA because it involves systematic monitoring of employees and processes special-category data (e.g., allegations of criminal conduct). The DPIA documents: the processing purpose, the categories of data and subjects, the risks to rights and freedoms, the technical and organizational measures to mitigate those risks, and the DPO's opinion. National data-protection authorities can request the DPIA during inspections.
Related terms
- GDPR Regulation (EU) 2016/679, the General Data Protection Regulation, governs processing of personal data of EU residents. Whistleblowing channels process personal data of the reporter, the person reported on, and third parties named in the report. Key articles: Art. 6 (legal basis), Art. 5 (minimisation), Art. 9 (special categories), Art. 17 (erasure), and Art. 30 (records).
- RoPA A Record of Processing Activities is the GDPR-mandated inventory of every personal-data processing activity in an organisation. Article 30 requires every organisation (with limited small-org exemptions) to maintain a written RoPA. For a whistleblowing channel, the entry must include purpose, data categories, recipients, retention, security measures, and any third-country transfers.
- Data Residency The geographic location where personal data is stored and processed. For EU whistleblowing channels, EU-only data residency is strongly preferred because it avoids GDPR Chapter V transfer complications, aligns with national whistleblower laws like Loi Sapin II, and simplifies the Article 6 legal-basis analysis. Confidly hosts all data in EU data centres.